Restrict the AD sync for one source in case of having two HR source

kanha141 · January 9, 2024, 1:28pm

Is there any way to restrict the AD sync for one source in case of having two HR source?

dopstrick · February 12, 2024, 3:00pm

The AD attribute sync is going to be sourced from an Identity attribute, which will be determined by transform or rule on the Identity profile.

How is the identity attribute (value to be synced to AD) getting its value?

RAKGDS · February 13, 2024, 4:54am

Hi Arjun,
You can do it using a Tranform. What you can do is based on the transform calculate what value you need to send to AD from which HR source. Once that is calculate you can send only that value to AD

kanha141 · February 15, 2024, 11:28am

@dopstrick @RAKGDS Thanks for your inputs.
We have two HR sources, one is authoritative (A) and some of the managers are not in (A) so we are maintaining them in another Non Employee source (B).

We don’t want to sync the user data from source B into the AD specially the manager field which is having null value in SailPoint.

dopstrick · February 15, 2024, 1:30pm

If I’m understanding the use case correclty, I think the easiest way would be to create an ‘adManager’ attribute on the Identity, which just sources from source A. Use that attribute for sync to AD.

RAKGDS · February 18, 2024, 10:00am

Did u try using transform to calculate the value and send it to the target ?

Could you please let us know what issue are you facing if you use transform to populate the value and sync it to target?

KevinHarrington · February 18, 2024, 2:00pm

The following transform looks up the user’s record from Source A. If it does not exist it returns the static string “IN SOURCE B”. It then uses a lookup and returns the current “manager” value from AD if the input is “IN SOURCE B” otherwise it returns the manager’s distinguished Name as calculated by your logic - I just put in a stand-in “Calculate Manager AD distinguishedName” reference as an example.

{
	"attributes":{
		"input":{
			"attributes":{
				"ignoreErrors":"true",
				"values":[
					{
						"attributes":{
							"attributeName":"uniqueIdentifierFromSourceA",
							"sourceName":"Source A"
						},
						"type":"accountAttribute"
					},
					"IN SOURCE B"
				]
			},
			"type":"firstValid"
		},
		"table": {
			"IN SOURCE B":{
				"attributes":{
					"ignoreErrors":"true",
					"values":[
						{
							"attributes":{
								"attributeName":"manager",
								"sourceName":"Active Directory"
							},
							"type":"accountAttribute"
						},
						""
					]
				},
				"type":"firstValid"
			},
			"default":{
				"attributes":{
					"id":"Calculate Manager AD distinguishedName"
				},
				"type":"reference"
			}
		}
		
	},
	"type":"lookup"
}

system · April 18, 2024, 2:00pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
2 Active Directory Source connectors? ISC Discussion and Questions provisioning	7	767	July 19, 2023
Looking for alternative to Attribute Sync - Need just provisioning ISC Discussion and Questions identity-security-cloud	5	228	March 16, 2024
Restrict Attribute Sync ISC Discussion and Questions identity-security-cloud	8	296	December 29, 2023
Sync for Some Users for Source ISC Discussion and Questions identity-security-cloud , provisioning	7	219	January 28, 2024
Multiple Sources on Single Identity Account ISC Discussion and Questions identity-security-cloud , search	3	577	August 1, 2023

Restrict the AD sync for one source in case of having two HR source

Related Topics